An entity designated by the Central Government based on volume or sensitivity of data processed; subject to additional obligations including DPO appointment and algorithm audits

The quasi-judicial body established under the DPDP Act to adjudicate complaints and impose penalties up to ₹250 Cr; operational ~May 2027

A registered intermediary that enables Data Principals to give, manage, review, and withdraw consents across multiple Data Fiduciaries from a single interface

An entity that determines the purpose and means of processing personal data — equivalent to GDPR's 'data controller'. Carries primary obligations under the DPDP Act

An entity that processes personal data on behalf of a Data Fiduciary, under a written contract. Less direct obligation than a Fiduciary

Master Direction on IT Governance, Risk, Controls and Assurance Practices, issued November 2023, effective April 2024. The primary RBI IT governance framework for regulated entities

Cybersecurity and Cyber Resilience Framework — SEBI's comprehensive cybersecurity standard for regulated entities, issued August 2024. Supersedes all earlier SEBI cybersecurity circulars

A self-assessment maturity score submitted annually by SEBI-regulated entities showing cybersecurity posture across the five CSCRF categories

Any entity regulated by SEBI, categorised into four tiers: Market Infrastructure Institutions (MIIs), Qualified RTAs (QRTAs), RE-T1, and RE-T2/T3 based on size and systemic importance

Stock exchanges, clearing corporations, and depositories — the highest tier of SEBI-regulated entities with the strictest CSCRF obligations and tightest timelines

An annual report of the cybersecurity audit results submitted by IRDAI-regulated insurers to the regulator; must be filed by a qualified IS auditor

Cybersecurity and IT Examination unit of RBI — the body to which banks must report cyber incidents within 6 hours; conducts IT examinations of regulated entities

IT Governance, Risk, Controls and Assurance — the four-pillar framework of RBI's MD-ITGRC 2023 covering governance structure, risk management, controls catalogue, and assurance mechanisms

Mandatory directions issued under Section 70B of the IT Act requiring organisations to report cyber incidents within 6 hours, retain logs for 180 days, synchronise to Indian NTP, and maintain VPN/cloud KYC records

National Critical Information Infrastructure Protection Centre — the body that designates Critical Information Infrastructure (CII); separate from CERT-In's incident response role

Mandated annual (or more frequent) security testing of all critical systems; must be conducted by empanelled or qualified testing firms; findings must be remediated within prescribed timelines

The process of assessing, monitoring, and managing risks from vendors, outsourced partners, and service providers — mandated by RBI MD-ITGRC and reinforced by DPDP Act processor obligations

SEBI-mandated sustainability disclosure framework for listed entities; relevant to RiskPedia's ESG and climate risk content